Tuesday, April 5, 2011

Change Security Certificate jZebra

  1. Open command prompt (Assumes Windows 7)
  2. Type:
    > cd %PROGRAMFILES%\Java\jdk1*\bin
  3. Type:
    > keytool -import -alias myalias -file %USERPROFILE%\Documents\mycert.cer -keystore %USERPROFILE%\Documents\mykeystore.ks
  4. Since the keystore doesn't yet exist, it will be created, and you will be prompted for a keystore password; type whatever password you want. This will later be entered into NetBeans. For the purposes of this tutorial we will use password of "randomaccess123".
  5. Copy mykeystore.ks to the root of your jZebra project folder (probably %USERPROFILE%\Documents\NetBeansProjects\jZebra)
  6. If not already, open NetBeans (Version 6.8+). Make sure Java Web Start is enabled in project properties.
  7. Navigate to Files in upper left (if hidden, CTRL + 2)
  8. Expand nbproject folder. Double click jnlp-impl.xml.
  9. Scroll to the section that says "<!-- Custom - Modified by Tres Finocchiaro 12/8/2010 -->" (Alternately, you can CTRL+F to search for "tres")
  10. Change <property name="jnlp.signjar.keystore" value="${basedir}/jzebra.ks"/> to <property name="jnlp.signjar.keystore" value="${basedir}/mykeystore.ks"/>
  11. Change <property name="jnlp.signjar.storepass" value="**********"/> to <property name="jnlp.signjar.storepass" value="randomaccess123"/>
  12. Change <property name="jnlp.signjar.keypass" value="**********"/> to <property name="jnlp.signjar.storepass" value="randomaccess123"/>
  13. Change <property name="jnlp.signjar.alias" value="jzebra"/> to <property name="jnlp.signjar.alias" value="myalias"/>
  14. Note #1: If prompted for two passwords, I'm not sure exactly which is which, since the tutorial only addresses one of them. This will need clarification.
  15. Note #2: Jarsigner.exe should not be called directly, as a version of it is included in javawebstart.anttasks.SignJarsTask (NetBeans uses it for Java Web Start, we are exploiting it's Jar Signing capabilities) 
  16. Note #3: Verification for clients: The keytool command will print out the certificate information and ask you to verify it, for example, by comparing the displayed certificate fingerprints with those obtained from another (trusted) source of information. For example, customers might call up MyCompany and ask what the fingerprints should be. You can get the fingerprints of the mycert.cer file by executing the command: > cd %PROGRAMFILES%\Java\jdk1*\bin
    > keytool -printcert -file %USERPROFILE%\Documents\mycert.cer
  17. Note #4: At some point Oracle made a change to the keytool command. It seems JDK 1.6.x uses "keytool -importcert" instead of JDK 1.5.x "keytool -import". The tutorial version should be backwards compatible. This will need clarification.

No comments: